topic Re: HABv4 key management in i.MX Processors

HABv4 key management

mssp — Mon, 01 Dec 2025 09:59:25 GMT

Hello everyone

How would you recommend managing the keys in a situation where a third party needs the capability to independently sign software releases?

i.e. We need to give a key to someone to be able to sign, should we give them an SRK? Or just an "IMG" key? Can they even sign with just the IMG key?

As far as I understand we can only revoke SRKs and not individual IMG keys. Which means that if both us and the external partner use the same SRK, we will not be able to revoke theirs?

I have not been able to find any information in the documentation about having multiple IMG keys, or key management

Thanks

Re: HABv4 key management

Bio_TICFSL — Mon, 01 Dec 2025 14:34:13 GMT

Hello,

I'll address your question about managing keys when a third party needs to sign software releases independently.

In HABv4, only SRK (Super Root Key) keys can be revoked, not individual IMG (image) keys. The system is designed with a strict hierarchical trust model.

When working with third parties for signing:

1. SRK keys are the root of trust and are generally managed by the device owner. These keys should be carefully protected as they represent the foundation of your security model.

2. If you give a third party an SRK key, they would have complete signing authority at the root level. This is generally not recommended as it grants them extensive privileges.

3. You can provide a third party with an IMG key that's under your SRK. This allows them to sign images while you maintain control of the root key.

4. The third party cannot independently sign with just an IMG key - they need the complete certificate chain that traces back to an SRK in your device's fuses.

5. For key isolation, it's recommended to use different SRKs for different signing entities. For example, you could use SRK1 for your internal builds and SRK2 for the external partner.

6. You are correct that only SRKs can be revoked (not individual IMG keys), and this is done at the fuse level in HABv4. If both you and your partner use the same SRK, you cannot selectively revoke their signing ability without also revoking your own.

The recommended approach is to assign different SRKs to different signing entities so that if revocation becomes necessary, you can revoke their SRK without affecting your own signing capabilities.

Regards

Re: HABv4 key management

mssp — Tue, 02 Dec 2025 08:07:33 GMT

Hello, thank you for the detailed reply.

In point 3 you mention

[] an IMG key ... allows them to sign images

but on point 4

The third party cannot independently sign with just an IMG key

I am confused to whether someone can sign images with an IMG key from our chain, or if the whole SRK is necessary. Which one is it?

If sharing the whole SRK is necessary and an IMG key is not enough, what is the usecase of being able to generate multiple IMG keys (if I understand correctly from the documentation, that seems to be possible)?

Thanks

Re: HABv4 key management

Bio_TICFSL — Tue, 02 Dec 2025 13:43:11 GMT

Hi,

Yes it is possible but just one if you could manage.

Regards

Re: HABv4 key management

mssp — Tue, 02 Dec 2025 13:57:14 GMT

Hi, unfortunately I'm not sure I understand your reply.

1) Is it possible for someone to sign software just with an IMG key, or do they need to have the SRK?
2) Why would someone need more than one IMG key?

Thank you